Analysis
-
max time kernel
192s -
max time network
230s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 10:26
Static task
static1
Behavioral task
behavioral1
Sample
2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe
Resource
win7-20220812-en
General
-
Target
2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe
-
Size
328KB
-
MD5
0a61198a602ad05a7403de6af79fddd4
-
SHA1
83f3ed2c51f94c254726a50dc4d84c7220b9a456
-
SHA256
2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332
-
SHA512
2e9e4b78475e441279733e121f6298bb1687f40fc856824a1b5056128c299318d892b3153e352cc3b79e09899cf300f81324cdaeddde393f4761d99c7721b248
-
SSDEEP
6144:F4Yv4qWJz289Fl1UWLPeTpaJujNz3yNNXnN9QduZzzuY2j6zPIsgip:RNWfHjWTpaO+N96AZk2Isz
Malware Config
Extracted
cybergate
2.6
Tuzick
six17.no-ip.info:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
msconfig
-
install_file
msconfig.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msconfig\\msconfig.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msconfig\\msconfig.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 4988 svchost.exe 3400 svchost.exe 2308 msconfig.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W7WUW042-5R50-3W1F-NH3U-86EWKW84JJT5} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W7WUW042-5R50-3W1F-NH3U-86EWKW84JJT5}\StubPath = "C:\\Windows\\system32\\msconfig\\msconfig.exe Restart" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W7WUW042-5R50-3W1F-NH3U-86EWKW84JJT5} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W7WUW042-5R50-3W1F-NH3U-86EWKW84JJT5}\StubPath = "C:\\Windows\\system32\\msconfig\\msconfig.exe" explorer.exe -
resource yara_rule behavioral2/memory/4988-144-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/4616-152-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4988-149-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4616-155-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4988-157-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/4988-163-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/3400-167-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/3400-168-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/3400-171-0x0000000024160000-0x00000000241C2000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\msconfig\\msconfig.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\msconfig\\msconfig.exe" svchost.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\msconfig\msconfig.exe svchost.exe File opened for modification C:\Windows\SysWOW64\msconfig\msconfig.exe svchost.exe File opened for modification C:\Windows\SysWOW64\msconfig\msconfig.exe svchost.exe File opened for modification C:\Windows\SysWOW64\msconfig\ svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3932 set thread context of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4988 svchost.exe 4988 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3400 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3400 svchost.exe Token: SeDebugPrivilege 3400 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4988 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 4988 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 80 PID 3932 wrote to memory of 3716 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 81 PID 3932 wrote to memory of 3716 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 81 PID 3932 wrote to memory of 3716 3932 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 81 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37 PID 4988 wrote to memory of 2204 4988 svchost.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe"C:\Users\Admin\AppData\Local\Temp\2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:4616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:3316
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3400 -
C:\Windows\SysWOW64\msconfig\msconfig.exe"C:\Windows\system32\msconfig\msconfig.exe"5⤵
- Executes dropped EXE
PID:2308
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc.vbs"3⤵PID:3716
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD556af548c49acb7d314a228d49b2a2a32
SHA1b76d0c88560d8dd0744bceb19c627ba4122d64e0
SHA256f46d6b5b8d841fc784f503d9878ff7d7479f2e2b71556dd9c7b8d891d5b88234
SHA5126aa0523adce98440dbc119e229afe42e6f1cff6fbfe29e954d946d6efc106c7be9e5c696ece31bbd6678ccc84fd274a64b38401bf9b9af0def1368d0ecefa59c
-
Filesize
378B
MD5fa87c36e56bb1f03f973d0125e286a09
SHA1a47c79279865ad55be60eda927f6f0ad45053b7e
SHA256d79606af3b78ec19255b43ac4050b477ee82b2d0f857c3a691111cd9ea667afd
SHA512d867d6937551af2e4e9e18160312885be5659c0cd9f1c9ae112f2b6f887a31486700bb43567d6ef9c0070483c1233f5a5746af37c10b2d0fbc957c360318598a
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0